8 posts in this topic

capr 36

Hey, here's the scenario my customers have log ins for this care website that they use. I don't manage those log ins and can't host my page on the same domain. Since this page needs to stay secret, I need to put the link to it behind the log in that's being managed by someone else.

My worry is that people will just copy that link and distribute it once they find that going there directly doesn't require a log in.

Solution in my head : is there such a thing as a permutating URL? Can the URL to my page change every hour or so? This would require customers to log in and click on the button that I design for them rather than go directly to the link.

Other solutions are welcome however I have very limited access to what goes on at the secure domain with the logins.

Share this post

Link to post

Share on other sites

Adbot 1337

Tonicgoofy 27

Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link

Share this post

Link to post

Share on other sites

capr 36

Wouldn't it be easier to require a password that is generated every so-often ? and have it display on the link page. So even If they click on the link, they would still need the password that was next to the link

that's a good solution, I will look into it. I doubt I will be able to display a variable password on the protected page.

Share this post

Link to post

Share on other sites

capr 36

Thanks everyone. I think this .htaccess solution will work for now. It's much easier than managing separate logins for all the clients. The information isn't very sensitive so i think this minimal security will work.

Share this post

Link to post

Share on other sites

+BudMan 2,554

Lets be clear this is not really any sort of security, this could be considered a access control method ;) But not a security feature - I can spoof a referrer in 2 seconds. With cookie check you could verify something that could kind of somewhat make it security - but just checking for cookie of specific name wouldn't be security no.

But these options are better access control than trying hide your site by just changing what url it answers to every so often ;)